Firefox Vulnerable Through Old QuickTime Bug

ZDNet's Ryan Naraine reports about the Firefox bug that never went away. About a year ago Petko D. Petkov reported on bugs in the interface between QuickTime and the Firefox browser. Mozilla patched one of the bugs, but not the...

About a year ago Petko D. Petkov reported on bugs in the interface between QuickTime and the Firefox browser. Mozilla patched one of the bugs, but not the other. The bug allows control of the browser and potentially code execution if the user runs a media file handled by iTunes on a system where Firefox is the default browser. Note that QuickTime is installed along with iTunes, so iTunes Windows users are vulnerable.

Petkov reported in a blog entry (which is offline right now as I check it) that the flaw allows remote code execution with the privileges of the logged-in users, and therefore could lead to a compromise of the system if the user is logged in as administrator.

Later on Naraine reported (see the "UPDATE" section) that Mozilla security chief Window Snyder essentially confirmed the report and the severity thereof. One year later Mozilla is working on a fix for the bug.